Krebs on Security

In-depth security news and investigation

Banks: Credit Card Breach at CiCi’s Pizza

CiCi’s Pizza, an American fast food business based in Coppell, Texas with more than 500 stores in 35 states, appears to be the latest restaurant chain to struggle with a credit card breach. The data available so far suggests that hackers obtained access to card data at affected restaurants by posing as technical support specialists for the company’s point-of-sale provider, and that multiple other retailers have been targeted by this same cybercrime gang.

Over the past two months, KrebsOnSecurity has received inquiries from fraud fighters at more than a half-dozen financial institutions in the United States — all asking if I had any information about a possible credit card breach at CiCi’s. Every one of these banking industry sources said the same thing: They’d detected a pattern of fraud on cards that all had all been used in the last few months at various CiCi’s Pizza locations.

Earlier today, I finally got around to reaching out to the CiCi’s headquarters in Texas and was referred to a third-party restaurant management firm called Champion Management. When I called Champion and told them why I was inquiring, they said “the issue” was being handled by an outside public relations firm called SPM Communications.

I never did get a substantive response from SPM, which according to their email and phone messages closes at 1 pm on Fridays during the summer. So I decided to follow up on a tip I’d received from a fraud fighter at one affected bank who said they’d heard from the U.S. Secret Service that the fraud was related to a breach or security weakness at Datapoint (CiCi’s point-of-sale provider).

Incredibly, I went to look up the contact information for datapoint[dot]com, and found that Google was trying to prevent me from visiting this site: According to the search engine giant, Datapoint’s Web site appears to be compromised! It appears Google has listed the site as hacked and that it was once abused by spammers to promote knockoff male enhancement pills.

A quick look at Datapoint’s site via a virtual machine-protected Linux browser indicates that CiCi’s Pizza is indeed one of the company’s largest clients. The Secret Service did not immediately respond to requests for comment.

Undeterred, I phoned and emailed Datapoint, and heard back via email from Stephen P. Warne, vice president of service and support for the company. Warne said I was jumping to conclusions and that my “sources” must have had a beef with the company. Here’s his email to me, verbatim:

If you did indeed talk to the Secret Service you would know that the breaches they have investigated involved multiple POS vendors in one particular franchise, including Harbortouch and Granbury Restaurant Systems.

You would also know that not one Agent we spoke and cooperated with came to any conclusion of wrong doing on our part after scans months ago. The SS actually helped point out that these hackers used among Team Viewer, Screen Connect and some others they installed.

All of these attacks have been traced to social engineering/Team Viewer breaches because stores from SEVERAL POS vendors let supposed techs in to conduct ‘support’. Nothing to do with any of our support mechanisms which are highly restricted and well within PCI Compliance.

I won’t say much else on this as this is not a Datapoint breach. We just happened to have by far the most systems in that particular franchise overwhelmingly.

Interestingly, this apparent breach comes to light amid a great deal of speculation on Reddit and other places online about a possible data breach at Teamviewer. The idea that countless credit card terminals or cash registers at CiCi’s Pizza establishments and other businesses could have been compromised by cybercriminals who simply phoned up the establishments posing as tech support technicians for various point-of-sale vendors is remarkable (and frankly pretty ingenious).

I’ll no doubt have updates to this story as the weekend progresses. Stay tuned.

Update, June 4, 5:01 p.m. ET: Edited the sentence about Google’s listing the site as hacked.

This entry was posted on Friday, June 3rd, 2016 at 7:47 pm and is filed under Data Breaches.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

I second Mike’s question : that Sucuri link is for the results of a scan of a different site. WAFLleague.com? Never heard of it (yes Sucuri say it’s been hacked, but that’s not relevant here).

Elementary slipup, Brian. In fact Sucuri give datapointpos.com a clean bill of health, with no mention of that Viagra page you give a link to. URLQuery also marks the site as clean.

Clicking on the link to that “Viagra” page displays a webpage with nothing untoward apparent, apart from the URL.

The Google warning (“This site may be hacked”) is still there though. According to the Big G “The notification won’t be removed until the webmaster of the site takes action” – and I would have expected DatapointPOS to have contacted Google long before now to get this warning removed.

1st – Some of the wording in this ‘article’ is negligent and flagrantly untrue. Google did not BLOCK DatapointPOS as Brian’s Twitter link teases, nor does it say it is serving Malware as Brian’s caption says above.
It is flagged as “possibly hacked”. At worse, there was attempt at Adware injection in the past. Complete distortion to generate attenton.

2nd – That is a home page placeholder for us. We do niche POS sales on request. That site hasn’t even been updated since 2012 except for a logo or two. Look at the “News”. We have it just because we should have a homepage.It is not used as a portal for our customers, it has no shopping cart, it has no sensitive information.

This was irresponsible and negligent- What was the rush Brian Krebs? Why did you give DP only 2 hours or so on a Friday EVENING to comment before you ‘just had’ to publish this? Why couldn’t you wait to get proper information and responses?

I started the process of reaching out to Cici’s early in the morning on Friday, and got sent to an outside management firm, and then to a PR firm representing CiCi’s. The PR people never did help or respond, despite assurances that they would. In the meantime, I heard from you with a fairly comprehensive response.

Nobody is censoring you, Todd. If you leave a bunch of comments close together, my automated system may flag you as a bot. It’s nothing personal, but it sometimes takes me a while to get around to cleaning out the comments waiting for moderation. Two of yours got moderated.

I wouldn’t hesitate for a moment to let you comment on this matter. Happy to give you all the rope you need.

Brian – I thought you are a security guy not a POS guru. Isn’t the article suppose to be about credit cards? Or are you now a self-proclaimed POS expert as well?

Ok, so DP may have slipped in not keeping up with possible adware injections for a website neither they nor their customers depend on nor paid much attention to the past years (because we nor our customers use it).

This has NOTHING to do with POS issues nor confidence in serving POS customers.

The simple fact is we do not use our homepage to drive sales. We have one because you have to have one.

At worse, someone clicks on a link in the past year or so and got redirected (possibly) to someone selling viagra.

Stick to the point – Credit Card fraud, not inadvertent Home page mistakes. Why grab Low hanging fruit to draw people to your blog with sensationalism?

Todd, with all due respect, if one can’t be bothered to maintain a web server, why should that one be trusted with a POS system? Whether the site is used by many or not is totally irrelevant: it exists, and it’s publicly accessible.

“At worse, someone clicks on a link in the past year or so and got redirected (possibly) to someone selling viagra.”

Wow, someone must be losing clients over this. I agree with the other two previous people said – after that statement how can anyone trust you? Look, anyone can get popped. That happens. However, letting it happen for over a year, that gets into basic controls and monitoring.

Todd would you trust a company to implement your POS system if that company has not done a simple website crawl (hey Google!) in over a year to see what they are truly hosting? Food for thought since this seems to have upset you. Step away for a minute and look at the big picture here.

Todd: “At worse, someone clicks on a link in the past year or so and got redirected (possibly) to someone selling viagra. ”

And the site they were redirected to may contain some sort of malware.

You may not use your webpage to drive sales…but it gives people an impression of your company. If you don’t care to properly maintain and protect it, many could end up thinking that you don’t care to protect and maintain the security of their POS systems.

Where do you get that from this article? Or just wanted to drop an overused cliche? This looks like spearfishing and is pretty common as employees at these types of smaller restaurants and fast food are gullible especially when the hackers know how to talk the talk. Sounds more like what has been happening to many the past years more and more.

Datapoint’s website shouldn’t be vulnerable regardless, even if it’s clients get hacked or phished.
That’s like saying “since I have a bank account at BoA and I got hacked, it’s ok if BoA’s website is hacked”
Those two things should never be connected.

It’s not spearfishing, it’s social engineering. A simple call to corporate,the franchise owner, and/or DP should have alerted the location that techs were not scheduled to “update/work on” the POS systems.

Boy, ID hate to be in your restaurant, on a busy day. Everyone calling or emailing the companies the boss listed, to see if it’s a hacker or a customer, someone’s service will be compromised. But, why is it a franchisees duty to run the POS devices update? Why do the franchise have to know the POS device employees? Or their service dates? That’s why their are social engendering attacks. And the systems integrate? Second mistake.money systems should always be separate from all other systems, yeah, I know, convenience? Lost money, yeah, you lost it for convenience. What convenience, did you save, name?

Hate to break the news to you but if you are a business running credit cards, you definitely should know beforehand when maintenance or an update is going to happen to your POS. If I do not know about it, they simply cannot do work on it.

Before you go further, one should also know the company that will perform the maintenance and have a contact / support line to call that knows when this stuff is happening.

Based on your comments I am not sure that will get through to you so to make it easier, think of a bank and the armored couriers transporting money. Think the banks know everything they can about the company and schedules? Why should it be different just because it is a credit card?

I have found many times Google’s alerts about website compromises to either be inaccurate or stale. I am behind an enterprise UTM with multiple layers of defenses and datapointpos.com is not coming up as being flagged by either malware engine..by the intrusion protection, the advanced threat protection, or anything else. Google sometimes will throw up that warning as a precaution IME.

As far as the CiCi’s angle goes I will watch this with great interest like I do for every single one of Brian’s stories. I typically do not report on anything I find until I see where Brian’s story goes…god job and a great resource Brian!

Very misleading Twitter link to this don’t you think Brian? One thing has nothing to do with the other. So a website (like many) gets flagged by google and you try to tie it in with credit card fraud at the
store POS level.

One one hand the entire CPP common point of purchase approach is based on coupling events that seem independent on the surface. (Similar limitations to a polynomial for error detection/correction as i’ve previous pointed out here).

However, if the bad guys know we ignore events that cant be understood, then we fall into dismissing why one trains to take off, and not land an airplane (as a classic example with bad outcome), and that will be exploited.

The problem is, whatever falls within detection will be avoided, and whatever falls outside will be exploited.

So, are the events related, connectected, or some secondary indicator? Who knows, and we may never know. That is the nature of the problem.

That said, brian’s reports, in my opinion are useful, and correct, as he did not present the events suggesting there is or is not a connection. It does remain an odd coincidence at this time, (as does the teamviewer issues).

Part of the service Brian does is alert to fluid in progress issues, which very often are not well understood. So I would grant extra latitude from criticism of publishing less than fully vetted stories.

Fine, but again, why the rush to not vet something first?
And why the blatantly erroneous and sensationalist comments like Google is blocking DP or Google thinks DP is Serving malware.

Neither have any basis. Google just flagged DP. No Block. No notice of malware serving.

Simply irresponsible journalism to draw attention to his blog.

I’m not going to feed this more. Enough have said what I have said in some form. This is a negligent piece of reporting that should have waited until more information was gathered and some vetting done.

When it comes to the topic Brian covers you will not find a better site/reporter. I think you completely misunderstand Brian and the fact that he is NOT out to harm businesses. I think being tied to a security breach is causing you to sweat and freak out a little. This happens every day and most of the time the victim isn’t aware. So stop finger pointing. If you are innocent and DATApoint doesn’t have any part of the blame here, it will come out. Be patient and stop trying to comment, it will only hurt you.

Brian did nothing wrong… but you commenting did make this story a lot more interesting imo! If anything you have promoted it!

Given how often I used the Dell Webex to log into customer machines for fixes this is no surprise. The “with it” SysAdmins would call up, put me on speakerphone, pop a webex session up and imply 5 across the board on the satisfaction survey if things would just work.

If you can’t secure your main site from being hacked what does that say about the security policies of the company? Everything is about credibility. The fact it got so bad the site was listed as hacked by google mean it’s been that way for awhile.

You don’t seem to comprehend if an attacker was able to upload spam pages for Viagra there is absolutely no reason they couldn’t modify your main pages to serve malicious content. You should be counting your stars they didn’t because it would only take a few minutes of effort once they had access to /www/.

Brian had to point out where the Viagra pages are at, which means you guys didn’t even clean the site after his article. Ever heard of due diligence? If you’re going to thrash his reporting at least fix your own mess first.

###

Very good job Brian. Haters will always hate. Datapoint seems to be clueless when it comes to security. That’s probably why it was so easy to impersonate them to customers.

Because as stated, that is NOT our main site. Its an info only page to just have one. It’s not our portal, its not used for customer service, it’s for NON-customers and is rarely updated. Isn’t this suppose to be about credit card fraud, not “wonky” HTTP 404 responses?

Todd, I truly hope you are NOT an employee of Datapoint. In the early 1980’s I followed better security back when I hosted a number of BBS servers using Wildcat! BBS. Your plea or claim that your infiltrated public site does not need monitoring falls on deaf ears, as the statement has no substantiation in fact. If in fact you are an employee of Datapoint and if the Datapoint firms other employees have an awareness similar to yours I feel sorry for the firms other customers and for the firms investors.

Little do the newcomers realize that all of this “activity” can be tied together very easily. It only takes one area of compromise before something – Bot or human – has sufficient rights through escalation – see the 90,000 dollar zero day for example.

Once your into the network, its pretty much over. The most sensitive area has had its pants yanked down, and you all scream for attention in other matters.

I am sure Brian is chuckling in the background, potentially at how clueless people come in here firing shotgun comments without knowing all the hidden facts.

Look at the rep he has reported on over the years. His accuracy is pretty high in spelling out what details the common reader needs to know. It is typical for a third party to be involved in some of these breaches. Was this particular event a targeted attack….I am sure we will all find out soon enough – when the end of the story comes out – and matches what Brian mentioned all along.

If your sour about the bait that you ate, go eat somewhere else. I am sure the other places will have regurgitated samples for your to enjoy.

I’m working on a PCI project for a client that has both CNP and POS transactions. I’m working with them on a POS anti skimming inspection policy and procedures and this story reminded me of the need to have a section on the need to check the credentials of anyone claiming to be tech support staff. Thank you.

Todd – Best of luck in your next career. After the ludicrous comments you posted I wouldn’t be surprised to see your employer show you the door (I surely would as you have done more damage to your organization than the breach at this point) and you have fully convinced me to take my business elsewhere, where customers information is actually valued and protected as required. Loss of goodwill with your customer base is something not easily won back!

For me, the issue is less that your website was hosting the male enhancement advertisements and more that someone had write access to your web server. Whether the male enhancement (or whatever they are) pages have been removed or not, if they were ever there, that’s a problem. If someone were able to upload content to your server, they were likely also able to upload a command shell, or overwrite a binary on the machine (whether they did or not).

This means they’d basically have an open door into your network where it may be possible to pivot through your DMZ into your internal network where you are actually storing sensitive customer data. The fact that you refer to it as an ‘unused advertising site’ is a red herring in itself. Most competent attackers won’t go straight for your most critical systems anyway. They’d prefer to attack something you seldom think about and probably neglect to update.

Now maybe you have a very mature monitoring system in place and are 100% positive the attack stopped at point X and not data was exfiltrated. But, the fact that (a) you are dismissing the severity of someone arbitrarily writing to your web server, and (b) you didn’t discover it for several months (and YOU didn’t discover it at all), tells me you likely don’t know the extent of the attack yet.

Whether any of this actually occurred or not is beside the point. The point is, it’s indicative that something COULD have occurred, and you’re attempting to downplay and dismiss that fact, seemingly as a PR move.

Oh my. The sad part is this is all too common of the state of affairs when it comes to handling these “assets”.

There are several issues, and yes, they do have a connection. Here is a rather disorganized list:

1) the asset’s value to the company may be zero, however hackers may value it higher (” One man’s trash is another man’s treasure” is a timeless saying for a reason.). This mistaken view assumes, (as the linux folks say), God’s view. Namely that the company can see all potential uses of the ‘asset’. Fact is, most companies are sitting on liabilities, not assets, as the monetization for the bad guys is often higher than the legitimate uses (they do not have the constraints of using the data legally, but that is at least partially offset by restricted market access so one could argue it can go either way in any given situation). Moral here is a company’s valuation of the asset isn’t the final word.

2) the asset’s value is often irrationally changed. We often hear how an ‘asset’ is highly valued prior to hacking, and then claimed worthless afterwords. As I have commented on other hacks before, this is very similar to derivatives where as Warren Buffett quips “the only instrument I know where both the buyer and the seller recognize a ‘profit’ on the same transaction” (paraphrasing here). This thinking leads to further mistakes, such as not valuing information about third parties (which in hacks tends to be the leaked data, in this case potential customers of POS systems IP addresses, at a minimum).

3) intrinsic valuation is often overshadowed by company’s monetization. The page has some intrinsic value (even as a doman placeholder, and could be negative value). Whether or not that is monetized by the company is the irrelevant issue here. One can legitimately assume folks visit the page rendered by Google search, and those folks would, by nature of potential customers, not all that familiar with your POS (which is why they google and go to the site). Thus they are likely to be the most vulnerable to social engineering attacks. So, not caring that potential customer’s IP addresses are given as a targeted list does not in my mind constitute due care. Moral here is there IS intrinsic value to the doman and page (hacker took the time to do the viagra link hack, so at least on hacker out there thinks it is worth something).

4) If all the bad guys did is serve up ad pages then you are lucky.. that can change (or did change and then back again) in a heartbeat. The argument that the company was lucky does not change the risk here. One may cross the street and return without checking for traffic, but success does not make it a good idea. And it certainly doesn’t support doing it again. It was never a good idea, the luck of ‘success’ simple does not change it. A backup power plant at ground level for a reactor was not a good idea, whether there was, or was not a tsunami, it was always a bad idea. Sure bright folks figured the chances, and their fancy math made it look good on paper.. but after the fact most folks say “that was dumb’. So, the argument that the tsunami has not hit your page does not instill confidence of due care.

5) That said, the above stems from the all too common dismissal of events that are not understood (see earlier comments). The company by nature is confident of their understanding and approach, (or would have already put in place plans to change it.). Whether we know why or how someone could exploit the out of control ‘asset’, does not change the intrinsic risks of having the ‘asset’ controlled by folks with less than pure intentions. (side technical note: It is no pirate’s code that says hackers will only serve up advertising.. in fact malware in ads is quite an issue. Given the rich target of potential POS customers who are also new, it is hard to imagine the bad guys NOT trying to exploit that target list.). Unfortunately, the human dismissal of that which we do not understand has historically resulted in bad outcomes (We now know why folks trained to take off, but not land, but we are minus several thousand people, two world trade centers, etc.). Summary here is that demanding a known outcome prior to taking a risk seriously is to be a historian of disasters.

note on value of viagra page:
The assumption that because the visiting IP addresses of potential customers is of no particular monetary value to the company does not mean that the viagra pages don’t have a nice targeted list of potential customers (victims of subsequent attack). As a hint, you could check IP addresses to both the domain and the portal, as those would likely be the targets (either social, or teamviewer related?). That might be more useful than waiting to understand how it could be exploited (contain the scope of the problem).

6)
I sympathize with the company’s plight. However, all too often companies attempt to shoot the messenger. The signal that sends is not in your company’s best interest. Imagine a whitehat (good guy) finding a serious flaw.. they want to report it to you, but given the response folks see here.. they can reasonably guess they will be given a hard time, and so may tend to take a pass. Sooner or later the bad guys will find the flaw, and waste no time in exploiting it. This is why some companies offer bounty on bugs, and encourage reporting on flaws. The idea is that companies can make their systems stronger, and third party information is better protected, so society benefits as a whole. The responses here are faulty from PR standpoint, but also because the company is fighting the wrong battles. Even if you won the battle (which you already lost), you have lost the war. That’s not a put down, it is simply my humble assessment. Yes, I get it, there is likely an emotional “how dare he say…” response. I suggest exploring that within your company a bit as it appears it has at least contributed to a less than stellar handling of the situation. Again, do not feel alone, there are way too many companies that have, are, and will behave similarly. The check boxes of the cyber plan perhaps give companies peace of mind, but in general, I am not fully convinced of it’s value, primarily because it often gives false confidence (see God’s reference view above).

I do wish your company the best. My apologies for not better organizing the above, but nonetheless hope it helps you and your company.

Todd, hypocrite much? You castigate Brian for not being on target, and then you go pointing fingers about two other POS vendors like a child complaining about his sibling to his parents. That might be good for another one of Brian’s articles, but with all due respect, this article is about DP. All this looks like is a lot of butt-hurt from you – assuming that you are indeed employed by DP. Own up for what happened and stop trying so desparately to deflect.

Some sage advice: before jumping into the deep end (of a pool), test the waters. And before going for a swim, try to get a lay of the land.

I know you can’t really do that when someone calls with a fire, but if your job is anything related to security, then you had plenty of time to learn about krebsonsecurity.com.

You would have had plenty of other articles to comment on. If you had commented on earlier articles, you’d have eventually discovered that comments don’t always post immediately. You’d also have seen other people complaining about comments not posting immediately. And you’d have seen @Brian explaining that some get stuck in a moderation queue which he has to manually review, and which if they’re not absolutely spam, he’ll allow through.

The comment moderation behavior triggers on everyone (I hit it regularly, I also used to hit a problem where the website would clear my name+email+comment fields shortly after I started writing a comment, I’m not sure if that’s actually fixed yet).

Anyway, general advice again:
1. Test the waters
2. Review old articles — doing this will give you a sense of the tone used by people, and the behavior of others.

These two simple pieces of advice will help you everywhere you go. They can prevent you from looking like a fool.

I get what you’re saying about your home page being required but not attended to. The problem is this! There’s spammy crap there, you don’t agree that there’s spammy crap there. Brian showed it to you, google shows it to you and others have provided links. In the industry you are in, it’s not ok to take security for PCI extremely seriously but then fail in the basics of a web page. The type of content and use is totally irrelevant! It puts a foggy haze around you of…”Well, if they can’t even clean up crap on a web server, how can they possibly secure CC transactions!?!” It’s perception, it may be wrong, it would be in your best interest to do your best to correct this. Put your best foot forward, admit where there’s an issue and move along. Trying to tell us “it’s a non issue” with things like that just throws up red flags. Your response is throwing up more red flags! Get a PR team involved and stop posting.

Anyone considered why Todd is openly commenting on this? I bet he already got fired because he was responsible for the site. Todd, care to provide your linkedin id? I’d love to see if you presently have or have ever had anything to do with Datapoint. My guess is probably not.

No, not at all. Perhaps they already have more customers than they need so they scare the potential ones off by serving up spam, exploit kits or whatever. You know, because a 404 wouldn’t work as well.

Maybe that’s why they don’t worry about their customers getting phished so they don’t use DKIM, SPF or DMARC; they have too many customers already.

That Todd guy cracks me up. He’d rather sit in here and try to defend against something that has happened rather than sit at his desk and DO HIS JOB. I am pretty sure this not the only site he is lobbing rocks back on the other side of the fence. Writing comments take quite some time, and over the days, he has commented quite alot.

If he was more focused on the security of the company he wouldn’t be here making excuses for something that happened on his watch. No matter the amount of smoke and mirrors one fact remains, something got in to their network. Now its up to them to get someone else who is competent in security to come in and unscrew it.

Its hard to believe that they consider any part of their network unimportant. Like others have said, its simply a lily pad to other portions of the network.

The hackers probably found this out quite easily, and noticed a pattern of “unimportance” across several zones, and simply jumped from place to place. I think there wee multiple holes and it would be simply wonderful to see the final report. Unfortunately most of you will not be able to see it. Those that do, will have to simply smirk and see the truth in the end.

I’ve never understood comments like “this was ingenious”. is that said cause you didn’t think of it? It wasn’t. It’s old school low tech is all. Social hacks have been around for years. It would work almost anywhere, you just have to act like you belong. How many movies have you seen where the perpetrators act like the cable guy, or the phone guy? It’s the same thing. Not impressed at all.

While it was entertaining to hear Todd’s thoughtful perspective, can we go back to Cici’s?
What is their responsibility? How have they not realize their main POS vendor, DP has weak security practice. How do they train their employees? Where is their responsibility to their customers?
What about wonderful PCI Compliance of Cici’s?